| |
| |||||||
Plagegeister aller Art und deren Bekämpfung: Und nochjemand mit Rootkit RKIT/Agent.biiu :(Windows 7 Wenn Du nicht sicher bist, ob Du dir Malware oder Trojaner eingefangen hast, erstelle hier ein Thema. Ein Experte wird sich mit weiteren Anweisungen melden und Dir helfen die Malware zu entfernen oder Unerwünschte Software zu deinstallieren bzw. zu löschen. Bitte schildere dein Problem so genau wie möglich. Sollte es ein Trojaner oder Viren Problem sein wird ein Experte Dir bei der Beseitigug der Infektion helfen. |
 |
12.09.2010, 17:35
| #1 |
 |  Und nochjemand mit Rootkit RKIT/Agent.biiu :( Hey, seit einem gestrigen Neustart zeigt mein Windows Vista System die ein oder andere komische Treiber Fehlermeldung beim hochfahren. Meine Firewire Audiogeräte funktionieren nicht mehr wie sie sollen. Ein Suchlauf mit Antivir brachte folgendes Ergebnis: Die Datei 'C:\Windows\System32\drivers\ukwbl.sys' enthielt einen Virus oder unerwünschtes Programm 'RKIT/Agent.biiu' [trojan]. Durchgeführte Aktion(en): Beim Versuch eine Sicherungskopie der Datei anzulegen ist ein Fehler aufgetreten und die Datei wurde nicht gelöscht. Fehlernummer: 26004. Die Quelldatei konnte nicht gefunden werden. Es wird versucht die Aktion mit Hilfe der ARK Library durchzuführen. Fehler in der ARK Library. Die Datei konnte nicht zum Löschen nach dem Neustart markiert werden.Mögliche Ursache: Ein an das System angeschlossenes Gerät funktioniert nicht. . Folgende Logfiles: OTL:OTL Logfile: Code:
ATTFilter OTL logfile created on: 12.09.2010 17:38:58 - Run 1 OTL by OldTimer - Version 3.2.12.0 Folder = C:\Users\Sawdust\Desktop Windows Vista Business Edition Service Pack 1 (Version = 6.0.6001) - Type = NTWorkstation Internet Explorer (Version = 8.0.6001.18828) Locale: 00000407 | Country: Deutschland | Language: DEU | Date Format: dd.MM.yyyy 3,00 Gb Total Physical Memory | 1,00 Gb Available Physical Memory | 50,00% Memory free 6,00 Gb Paging File | 4,00 Gb Available in Paging File | 74,00% Paging File free Paging file location(s): ?:\pagefile.sys [binary data] %SystemDrive% = C: | %SystemRoot% = C:\Windows | %ProgramFiles% = C:\Program Files Drive C: | 150,66 Gb Total Space | 3,46 Gb Free Space | 2,30% Space Free | Partition Type: NTFS D: Drive not present or media not loaded Drive E: | 145,97 Gb Total Space | 19,80 Gb Free Space | 13,56% Space Free | Partition Type: NTFS F: Drive not present or media not loaded G: Drive not present or media not loaded H: Drive not present or media not loaded I: Drive not present or media not loaded Computer Name: SAWDUSTMOBIL Current User Name: Sawdust Logged in as Administrator. Current Boot Mode: Normal Scan Mode: All users Company Name Whitelist: On Skip Microsoft Files: On File Age = 90 Days Output = Standard Quick Scan ========== Processes (SafeList) ========== PRC - [2010.09.12 17:32:57 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Sawdust\Desktop\HiJackThis204.exe PRC - [2010.09.12 17:18:24 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Sawdust\Desktop\OTL.exe PRC - [2010.08.09 15:27:06 | 000,836,464 | ---- | M] (Opera Software) -- C:\Programme\Opera\opera.exe PRC - [2010.04.29 12:19:18 | 001,090,952 | ---- | M] (Malwarebytes Corporation) -- C:\Programme\Malwarebytes' Anti-Malware\mbam.exe PRC - [2009.12.10 12:55:15 | 000,470,785 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avcenter.exe PRC - [2009.11.16 17:36:19 | 000,172,792 | ---- | M] (ICQ, LLC.) -- C:\Programme\ICQ6.5\ICQ.exe PRC - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avguard.exe PRC - [2009.07.13 23:18:12 | 000,071,096 | ---- | M] () -- C:\Programme\CDBurnerXP\NMSAccessU.exe PRC - [2009.05.19 23:53:03 | 000,207,360 | ---- | M] (AVM Berlin) -- C:\Users\Sawdust\AppData\Local\Apps\2.0\R84O6XE3.0 5Z\DWG4CRRD.CJB\frit..tion_f8d772dfbb3f7453_0002.0 001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe PRC - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\sched.exe PRC - [2009.03.02 13:08:43 | 000,209,153 | ---- | M] (Avira GmbH) -- C:\Programme\Avira\AntiVir Desktop\avgnt.exe PRC - [2008.10.29 08:29:41 | 002,927,104 | ---- | M] (Microsoft Corporation) -- C:\Windows\explorer.exe PRC - [2008.07.18 20:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe PRC - [2008.04.26 15:57:06 | 000,716,800 | ---- | M] (TOSHIBA Corporation.) -- C:\Programme\Toshiba\HDMICtrlMan\HDMICtrlMan.exe PRC - [2008.04.24 10:21:56 | 000,099,720 | ---- | M] (Toshiba Europe GmbH) -- C:\Programme\Toshiba TEMPRO\TempoSVC.exe PRC - [2008.04.22 11:44:00 | 000,648,520 | ---- | M] (TOSHIBA CORPORATION.) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe PRC - [2008.04.18 19:27:52 | 000,316,744 | ---- | M] (TOSHIBA CORPORATION.) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosOBEX.exe PRC - [2008.04.18 19:27:40 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHSP.exe PRC - [2008.04.17 10:39:02 | 000,667,648 | ---- | M] (TOSHIBA Corporation.) -- C:\Programme\Toshiba\HDMICtrlMan\HCMSoundChanger.e xe PRC - [2008.04.17 00:21:24 | 001,056,768 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\Toshiba\ConfigFree\NDSTray.exe PRC - [2008.04.17 00:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\Toshiba\ConfigFree\CFSvcs.exe PRC - [2008.04.17 00:19:16 | 000,405,504 | ---- | M] (TOSHIBA CORPORATION) -- C:\Programme\Toshiba\ConfigFree\CFSwMgr.exe PRC - [2008.04.16 16:43:32 | 002,577,736 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe PRC - [2008.04.14 23:05:40 | 002,979,144 | ---- | M] (TOSHIBA CORPORATION.) -- C:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe PRC - [2008.04.11 11:57:14 | 000,124,264 | ---- | M] (TOSHIBA CORPORATION) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe PRC - [2008.03.31 19:08:50 | 000,083,272 | ---- | M] (TOSHIBA CORPORATION.) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe PRC - [2008.01.21 04:23:49 | 000,215,552 | ---- | M] (Microsoft Corporation) -- C:\Windows\WindowsMobile\wmdSync.exe PRC - [2008.01.17 16:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\Toshiba\Power Saver\TosCoSrv.exe PRC - [2008.01.09 10:38:44 | 000,288,072 | ---- | M] (TOSHIBA CORPORATION.) -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe PRC - [2007.12.03 17:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) -- C:\Programme\Toshiba\SMARTLogService\TosIPCSrv.exe PRC - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) -- C:\Windows\System32\TODDSrv.exe PRC - [2007.10.10 17:36:42 | 001,126,400 | ---- | M] (PreSonus Audio Electronics) -- C:\Programme\PreSonus\1394AudioDriver_FP10\FP10.ex e PRC - [2007.10.10 17:28:48 | 001,126,400 | ---- | M] (PreSonus Audio Electronics) -- C:\Programme\PreSonus\1394AudioDriver_FirePod\Fire Pod.exe PRC - [2007.08.24 07:00:48 | 000,033,648 | ---- | M] (Microsoft Corporation) -- C:\Programme\Microsoft Office\Office12\GrooveMonitor.exe PRC - [2007.02.12 10:43:44 | 000,065,536 | ---- | M] (O2Micro International) -- C:\Programme\O2Micro Flash Memory Card Driver\o2flash.exe ========== Modules (SafeList) ========== MOD - [2010.09.12 17:18:24 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Sawdust\Desktop\OTL.exe MOD - [2010.09.11 17:24:52 | 000,046,592 | -H-- | M] () -- C:\Windows\System32\Complder.dll MOD - [2008.01.21 04:25:02 | 000,110,592 | ---- | M] (Microsoft Corporation) -- C:\Windows\System32\msscript.ocx MOD - [2008.01.21 04:24:11 | 001,684,480 | ---- | M] (Microsoft Corporation) -- C:\Windows\winsxs\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6001.18000_none_5cdb aa5a083979cc\comctl32.dll ========== Win32 Services (SafeList) ========== SRV - File not found [Auto | Stopped] -- C:\Program Files\Digidesign\Drivers\MMERefresh.exe -- (DigiRefresh) SRV - [2009.07.21 14:34:28 | 000,185,089 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\avguard.exe -- (AntiVirService) SRV - [2009.07.13 23:18:12 | 000,071,096 | ---- | M] () [Auto | Running] -- C:\Programme\CDBurnerXP\NMSAccessU.exe -- (NMSAccessU) SRV - [2009.05.13 16:48:18 | 000,108,289 | ---- | M] (Avira GmbH) [Auto | Running] -- C:\Program Files\Avira\AntiVir Desktop\sched.exe -- (AntiVirSchedulerService) SRV - [2008.08.25 09:58:20 | 000,077,824 | ---- | M] (Toshiba) [Disabled | Stopped] -- C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe -- (SmartFaceVWatchSrv) SRV - [2008.07.18 20:39:30 | 000,083,312 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Programme\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe -- (TNaviSrv) SRV - [2008.04.24 10:21:56 | 000,099,720 | ---- | M] (Toshiba Europe GmbH) [Auto | Running] -- C:\Program Files\Toshiba TEMPRO\TempoSVC.exe -- (TempoMonitoringService) SRV - [2008.04.17 00:19:48 | 000,040,960 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe -- (ConfigFree Service) SRV - [2008.04.11 11:57:14 | 000,124,264 | ---- | M] (TOSHIBA CORPORATION) [Auto | Running] -- c:\Programme\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe -- (TOSHIBA Bluetooth Service) SRV - [2008.01.21 04:23:59 | 000,272,952 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Programme\Windows Defender\MpSvc.dll -- (WinDefend) SRV - [2008.01.21 04:23:49 | 000,365,568 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\wcescomm.dll -- (WcesComm) SRV - [2008.01.21 04:23:49 | 000,167,936 | ---- | M] (Microsoft Corporation) [Auto | Running] -- C:\Windows\WindowsMobile\rapimgr.dll -- (RapiMgr) SRV - [2008.01.17 16:27:34 | 000,431,456 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe -- (TosCoSrv) SRV - [2007.12.03 17:03:52 | 000,126,976 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe -- (TOSHIBA SMART Log Service) SRV - [2007.11.21 17:23:32 | 000,129,632 | ---- | M] (TOSHIBA Corporation) [Auto | Running] -- C:\Windows\System32\TODDSrv.exe -- (TODDSrv) SRV - [2007.02.12 10:43:44 | 000,065,536 | ---- | M] (O2Micro International) [Auto | Running] -- C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe -- (o2flash) ========== Driver Services (SafeList) ========== DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\0867D.tmp -- (yjboizih) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\0BF19.tmp -- (vhvumskf) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\08803.tmp -- (tmybvqlj) DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\TfSysMon.sys -- (TfSysMon) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TfNetMon.sys -- (TfNetMon) DRV - File not found [Kernel | Boot | Stopped] -- C:\Windows\System32\drivers\TfFsMon.sys -- (TfFsMon) DRV - File not found [Kernel | Disabled | Stopped] -- C:\Windows\System32\drivers\pctplsg.sys -- (pctplsg) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkfwd.sys -- (NwlnkFwd) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\nwlnkflt.sys -- (NwlnkFlt) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\09819.tmp -- (luiznhmes) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\0273E.tmp -- (kavdhnkn) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\ipinip.sys -- (IpInIp) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Program Files\Common Files\Symantec Shared\EENGINE\EraserUtilDrv10920.sys -- (EraserUtilDrv10920) DRV - File not found [Kernel | On_Demand | Stopped] -- C:\Windows\System32\DRIVERS\emusba10.sys -- (emusba10) DRV - [2010.04.29 12:19:24 | 000,038,224 | ---- | M] (Malwarebytes Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\mbamswissarmy.sys -- (MBAMSwissArmy) DRV - [2009.12.10 12:55:15 | 000,056,816 | ---- | M] (Avira GmbH) [File_System | Auto | Running] -- C:\Windows\System32\drivers\avgntflt.sys -- (avgntflt) DRV - [2009.05.19 23:52:54 | 000,101,248 | ---- | M] (AVM Berlin) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\avmaura.sys -- (avmaura) DRV - [2009.05.11 10:12:20 | 000,028,520 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\ssmdrv.sys -- (ssmdrv) DRV - [2009.04.23 23:35:26 | 000,721,904 | ---- | M] () [Kernel | Boot | Running] -- C:\Windows\System32\Drivers\sptd.sys -- (sptd) DRV - [2009.03.30 10:33:03 | 000,096,104 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Windows\System32\drivers\avipbb.sys -- (avipbb) DRV - [2009.02.13 12:35:01 | 000,011,608 | ---- | M] (Avira GmbH) [Kernel | System | Running] -- C:\Programme\Avira\AntiVir Desktop\avgio.sys -- (avgio) DRV - [2008.12.04 03:02:02 | 000,016,400 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\diginet.sys -- (DigiNet) DRV - [2008.12.04 03:01:50 | 000,097,808 | ---- | M] (Digidesign, A Division of Avid Technology, Inc.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\Dalwdm.sys -- (dalwdmservice) DRV - [2008.11.08 10:55:24 | 000,101,760 | R--- | M] (Huawei Technologies Co., Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\ewusbmdm.sys -- (hwdatacard) DRV - [2008.09.08 13:04:46 | 000,093,232 | ---- | M] (PACE Anti-Piracy, Inc.) [Kernel | Boot | Running] -- C:\Windows\System32\drivers\TPkd.sys -- (TPkd) DRV - [2008.07.18 18:52:16 | 000,279,376 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\tos_sps32.sys -- (tos_sps32) DRV - [2008.06.20 06:37:06 | 000,112,128 | ---- | M] (Intel(R) Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\IntcHdmi.sys -- (IntcHdmiAddService) Intel(R) DRV - [2008.06.12 12:43:16 | 002,381,312 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\igdkmd32.sys -- (igfx) DRV - [2008.04.28 00:29:26 | 003,658,752 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\NETw5v32.sys -- (NETw5v32) Intel(R) DRV - [2008.04.23 17:15:26 | 000,131,712 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfbd.sys -- (tosrfbd) DRV - [2008.04.15 17:53:44 | 000,312,344 | ---- | M] (Intel Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\iaStor.sys -- (iaStor) DRV - [2008.04.15 04:13:14 | 000,051,160 | ---- | M] (O2Micro ) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\o2media.sys -- (O2MDRDR) DRV - [2008.04.04 11:57:00 | 000,310,272 | ---- | M] (Marvell) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\yk60x86.sys -- (yukonwlh) DRV - [2008.03.25 13:54:02 | 000,041,472 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosporte.sys -- (tosporte) DRV - [2008.03.19 11:38:24 | 000,074,112 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\Tosrfhid.sys -- (Tosrfhid) DRV - [2008.03.04 19:32:00 | 000,188,416 | ---- | M] (Conexant Systems Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\CHDRT32.sys -- (CnxtHdAudService) DRV - [2008.01.22 20:57:48 | 000,054,144 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\TosRfSnd.sys -- (TosRfSnd) DRV - [2008.01.21 04:23:51 | 000,386,616 | ---- | M] (LSI Corporation, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasr.sys -- (MegaSR) DRV - [2008.01.21 04:23:51 | 000,149,560 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu320.sys -- (adpu320) DRV - [2008.01.21 04:23:51 | 000,074,808 | ---- | M] (Silicon Integrated Systems) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sisraid4.sys -- (SiSRaid4) DRV - [2008.01.21 04:23:51 | 000,040,504 | ---- | M] (Hewlett-Packard Company) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\hpcisss.sys -- (HpCISSs) DRV - [2008.01.21 04:23:51 | 000,031,288 | ---- | M] (LSI Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\megasas.sys -- (megasas) DRV - [2008.01.21 04:23:50 | 000,300,600 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpahci.sys -- (adpahci) DRV - [2008.01.21 04:23:50 | 000,101,432 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adpu160m.sys -- (adpu160m) DRV - [2008.01.21 04:23:50 | 000,089,656 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_sas.sys -- (LSI_SAS) DRV - [2008.01.21 04:23:49 | 001,122,360 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql2300.sys -- (ql2300) DRV - [2008.01.21 04:23:49 | 000,118,784 | ---- | M] (Intel Corporation) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\E1G60I32.sys -- (E1G60) Intel(R) DRV - [2008.01.21 04:23:49 | 000,079,928 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arcsas.sys -- (arcsas) DRV - [2008.01.21 04:23:48 | 000,130,616 | ---- | M] (VIA Technologies Inc.,Ltd) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\vsmraid.sys -- (vsmraid) DRV - [2008.01.21 04:23:48 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_fc.sys -- (LSI_FC) DRV - [2008.01.21 04:23:48 | 000,079,416 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\arc.sys -- (arc) DRV - [2008.01.21 04:23:47 | 000,235,064 | ---- | M] (Intel Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iastorv.sys -- (iaStorV) DRV - [2008.01.21 04:23:47 | 000,115,816 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata2.sys -- (ulsata2) DRV - [2008.01.21 04:23:47 | 000,096,312 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\lsi_scsi.sys -- (LSI_SCSI) DRV - [2008.01.21 04:23:46 | 000,342,584 | ---- | M] (Emulex) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\elxstor.sys -- (elxstor) DRV - [2008.01.21 04:23:45 | 000,422,968 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\adp94xx.sys -- (adp94xx) DRV - [2008.01.21 04:23:45 | 000,238,648 | ---- | M] (ULi Electronics Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\uliahci.sys -- (uliahci) DRV - [2008.01.21 04:23:45 | 000,102,968 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvraid.sys -- (nvraid) DRV - [2008.01.21 04:23:45 | 000,045,112 | ---- | M] (NVIDIA Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nvstor.sys -- (nvstor) DRV - [2008.01.21 04:23:26 | 000,020,024 | ---- | M] (VIA Technologies, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\viaide.sys -- (viaide) DRV - [2008.01.21 04:23:26 | 000,019,000 | ---- | M] (CMD Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\cmdide.sys -- (cmdide) DRV - [2008.01.21 04:23:26 | 000,017,464 | ---- | M] (Acer Laboratories Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\aliide.sys -- (aliide) DRV - [2007.12.17 11:45:20 | 000,018,432 | ---- | M] (Chicony Electronics Co., Ltd.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\UVCFTR_S.SYS -- (UVCFTR) DRV - [2007.11.29 18:58:56 | 000,196,144 | ---- | M] (Synaptics, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\SynTP.sys -- (SynTP) DRV - [2007.11.29 09:45:44 | 000,036,608 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfbnp.sys -- (tosrfbnp) DRV - [2007.11.09 14:00:52 | 000,023,640 | ---- | M] (TOSHIBA Corporation) [Kernel | Boot | Running] -- C:\Windows\system32\DRIVERS\TVALZ_O.SYS -- (TVALZ) DRV - [2007.10.18 14:25:00 | 000,041,856 | ---- | M] (TOSHIBA CORPORATION) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfusb.sys -- (Tosrfusb) DRV - [2007.10.09 17:32:24 | 000,123,440 | ---- | M] (BridgeCo AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pae_1394.sys -- (pae_1394) DRV - [2007.10.09 17:32:24 | 000,051,248 | ---- | M] (BridgeCo AG) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\pae_avs.sys -- (pae_avs) DRV - [2007.10.02 11:43:22 | 000,064,128 | ---- | M] (TOSHIBA Corporation) [Kernel | System | Running] -- C:\Windows\System32\drivers\tosrfcom.sys -- (Tosrfcom) DRV - [2007.08.29 15:50:46 | 000,039,296 | ---- | M] (Frontier Design Group, LLC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\US224Wdm.sys -- (Us224WdmService) DRV - [2007.08.29 15:50:34 | 000,018,176 | ---- | M] (Frontier Design Group) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\US224DL.sys -- (US224DL) DRV - [2007.08.29 15:50:02 | 000,150,272 | ---- | M] (Frontier Design Group, LLC) [Kernel | On_Demand | Stopped] -- C:\Windows\System32\drivers\US224.sys -- (US224) DRV - [2007.08.07 06:26:14 | 000,008,704 | ---- | M] (Conexant Systems, Inc.) [Kernel | Auto | Running] -- C:\Windows\System32\drivers\XAudio.sys -- (XAudio) DRV - [2007.08.02 09:52:50 | 000,985,600 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_DPV.sys -- (HSF_DPV) DRV - [2007.08.02 09:51:18 | 000,208,896 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSXHWAZL.sys -- (HSXHWAZL) DRV - [2007.08.02 09:51:08 | 000,660,480 | ---- | M] (Conexant Systems, Inc.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\HSX_CNXT.sys -- (winachsf) DRV - [2007.04.09 17:13:00 | 000,008,192 | ---- | M] (TOSHIBA) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\QIOMem.sys -- (QIOMem) DRV - [2006.11.02 11:50:35 | 000,106,088 | ---- | M] (QLogic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ql40xx.sys -- (ql40xx) DRV - [2006.11.02 11:50:35 | 000,098,408 | ---- | M] (Promise Technology, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ulsata.sys -- (UlSata) DRV - [2006.11.02 11:50:19 | 000,045,160 | ---- | M] (IBM Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\nfrd960.sys -- (nfrd960) DRV - [2006.11.02 11:50:17 | 000,041,576 | ---- | M] (Intel Corp./ICP vortex GmbH) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iirsp.sys -- (iirsp) DRV - [2006.11.02 11:50:11 | 000,071,272 | ---- | M] (Adaptec, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\djsvs.sys -- (aic78xx) DRV - [2006.11.02 11:50:09 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteraid.sys -- (iteraid) DRV - [2006.11.02 11:50:07 | 000,035,944 | ---- | M] (Integrated Technology Express, Inc.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\iteatapi.sys -- (iteatapi) DRV - [2006.11.02 11:50:05 | 000,035,944 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\symc8xx.sys -- (Symc8xx) DRV - [2006.11.02 11:50:03 | 000,034,920 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_u3.sys -- (Sym_u3) DRV - [2006.11.02 11:49:59 | 000,033,384 | ---- | M] (LSI Logic Corporation) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\mraid35x.sys -- (Mraid35x) DRV - [2006.11.02 11:49:56 | 000,031,848 | ---- | M] (LSI Logic) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\sym_hi.sys -- (Sym_hi) DRV - [2006.11.02 10:25:24 | 000,071,808 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserid.sys -- (Brserid) Brother MFC Serial Port Interface Driver (WDM) DRV - [2006.11.02 10:24:47 | 000,011,904 | ---- | M] (Brother Industries Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brusbser.sys -- (BrUsbSer) DRV - [2006.11.02 10:24:46 | 000,005,248 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltup.sys -- (BrFiltUp) DRV - [2006.11.02 10:24:45 | 000,013,568 | ---- | M] (Brother Industries, Ltd.) [Kernel | On_Demand | Stopped] -- C:\Windows\system32\drivers\brfiltlo.sys -- (BrFiltLo) DRV - [2006.11.02 10:24:44 | 000,062,336 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brserwdm.sys -- (BrSerWdm) DRV - [2006.11.02 10:24:44 | 000,012,160 | ---- | M] (Brother Industries Ltd.) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\brusbmdm.sys -- (BrUsbMdm) DRV - [2006.11.02 09:36:50 | 000,020,608 | ---- | M] (N-trig Innovative Technologies) [Kernel | Disabled | Stopped] -- C:\Windows\system32\drivers\ntrigdigi.sys -- (ntrigdigi) DRV - [2006.10.23 16:32:20 | 000,009,216 | ---- | M] (TOSHIBA Corporation) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfec.sys -- (tosrfec) DRV - [2006.10.18 11:50:04 | 000,016,128 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tdcmdpst.sys -- (tdcmdpst) DRV - [2005.05.09 20:08:40 | 000,033,792 | ---- | M] (Team H2O) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\cledx.sys -- (CLEDX) DRV - [2005.01.07 05:42:00 | 000,018,612 | ---- | M] (TOSHIBA Corporation.) [Kernel | On_Demand | Running] -- C:\Windows\System32\drivers\tosrfnds.sys -- (tosrfnds) ========== Standard Registry (SafeList) ========== ========== Internet Explorer ========== IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKLM\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKU\.DEFAULT\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVer sion\Internet Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKU\S-1-5-18\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdom...TSEA&bmod=TSEA IE - HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Inter net Settings: "ProxyEnable" = 0 IE - HKU\S-1-5-21-3003140569-26490700-2488630799-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Default_Page_URL = hxxp://www.google.com/ig/redirectdom...SEA&bmod=TSEA; IE - HKU\S-1-5-21-3003140569-26490700-2488630799-1000\SOFTWARE\Microsoft\Internet Explorer\Main,Start Page = hxxp://www.google.com/ig/redirectdom...SEA&bmod=TSEA; IE - HKU\S-1-5-21-3003140569-26490700-2488630799-1000\SOFTWARE\Microsoft\Internet Explorer\Main,StartPageCache = 1 IE - HKU\S-1-5-21-3003140569-26490700-2488630799-1000\Software\Microsoft\Windows\CurrentVersion\Int ernet Settings: "ProxyEnable" = 0 O1 HOSTS File: ([2006.09.18 23:41:30 | 000,000,761 | ---- | M]) - C:\Windows\System32\drivers\etc\hosts O1 - Hosts: 127.0.0.1 localhost O1 - Hosts: ::1 localhost O2 - BHO: (Adobe PDF Reader) - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programme\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll (Adobe Systems Incorporated) O2 - BHO: (Groove GFS Browser Helper) - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O2 - BHO: (Google Toolbar Notifier BHO) - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Programme\Google\GoogleToolbarNotifier\5.2.4204 .1700\swg.dll (Google Inc.) O4 - HKLM..\Run: [00TCrdMain] C:\Programme\Toshiba\FlashCards\TCrdMain.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [Adobe Reader Speed Launcher] C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe (Adobe Systems Incorporated) O4 - HKLM..\Run: [avgnt] C:\Program Files\Avira\AntiVir Desktop\avgnt.exe (Avira GmbH) O4 - HKLM..\Run: [Camera Assistant Software] C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe (Chicony) O4 - HKLM..\Run: [cfFncEnabler.exe] File not found O4 - HKLM..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe File not found O4 - HKLM..\Run: [H2O] C:\Programme\Syncrosoft\POS\H2O\cledx.exe (Team H2O) O4 - HKLM..\Run: [HDMICtrlMan] C:\Programme\Toshiba\HDMICtrlMan\HDMICtrlMan.exe (TOSHIBA Corporation.) O4 - HKLM..\Run: [HSON] C:\Programme\Toshiba\TBS\HSON.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [ITSecMng] C:\Program Files\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe ( TOSHIBA CORPORATION) O4 - HKLM..\Run: [NBKeyScan] C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe (Nero AG) O4 - HKLM..\Run: [NDSTray.exe] File not found O4 - HKLM..\Run: [NeroFilterCheck] C:\Programme\Common Files\Nero\Lib\NeroCheck.exe (Nero AG) O4 - HKLM..\Run: [SmoothView] C:\Programme\Toshiba\SmoothView\SmoothView.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [TPwrMain] C:\Programme\Toshiba\Power Saver\TPwrMain.exe (TOSHIBA Corporation) O4 - HKLM..\Run: [win32dll] C:\Program Files\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe File not found O4 - HKLM..\Run: [Windows Defender] C:\Program Files\Windows Defender\MSASCui.exe (Microsoft Corporation) O4 - HKLM..\Run: [Windows Mobile-based device management] C:\Windows\WindowsMobile\wmdSync.exe (Microsoft Corporation) O4 - HKU\S-1-5-19..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-20..\Run: [WindowsWelcomeCenter] C:\Windows\System32\oobefldr.dll (Microsoft Corporation) O4 - HKU\S-1-5-21-3003140569-26490700-2488630799-1000..\Run: [AVMUSBFernanschluss] C:\Users\Sawdust\AppData\Local\Apps\2.0\R84O6XE3.0 5Z\DWG4CRRD.CJB\frit..tion_f8d772dfbb3f7453_0002.0 001_0db5bf169ed5c0c1\AVMAutoStart.exe (AVM Berlin) O4 - HKU\S-1-5-21-3003140569-26490700-2488630799-1000..\Run: [DAEMON Tools Lite] C:\Program Files\DAEMON Tools Lite\daemon.exe (DT Soft Ltd) O4 - HKU\S-1-5-21-3003140569-26490700-2488630799-1000..\Run: [ICQ] C:\Program Files\ICQ6.5\ICQ.exe (ICQ, LLC.) O4 - HKU\S-1-5-21-3003140569-26490700-2488630799-1000..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe (Nero AG) O4 - HKLM..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe (Malwarebytes Corporation) O4 - Startup: C:\Users\Default\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Programme\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe) O4 - Startup: C:\Users\Default User\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TRDCReminder.lnk = C:\Programme\Toshiba\TRDCReminder\TRDCReminder.exe (TOSHIBA Europe) O4 - Startup: C:\Users\Sawdust\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\Adobe Gamma.lnk = C:\Programme\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (Adobe Systems, Inc.) O4 - Startup: C:\Users\Sawdust\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\monmvr32.exe (SecureNet) O6 - HKLM\Software\Policies\Microsoft\Internet Explorer\Low Rights present O6 - HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\pol icies\System: EnableLUA = 0 O8 - Extra context menu item: Nach Microsoft E&xel exportieren - C:\Programme\Microsoft Office\Office12\EXCEL.EXE (Microsoft Corporation) O9 - Extra Button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra 'Tools' menuitem : An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\Programme\Microsoft Office\Office12\ONBttnIE.dll (Microsoft Corporation) O9 - Extra Button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - File not found O9 - Extra Button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - File not found O9 - Extra Button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\Programme\Microsoft Office\Office12\REFIEBAR.DLL (Microsoft Corporation) O9 - Extra Button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O9 - Extra 'Tools' menuitem : ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Programme\ICQ6.5\ICQ.exe (ICQ, LLC.) O13 - gopher Prefix: missing O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} hxxp://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-0016-0000-0006-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_06) O16 - DPF: {CAFEEFAC-0016-0000-0015-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {CAFEEFAC-FFFF-FFFF-FFFF-ABCDEFFEDCBA} hxxp://java.sun.com/update/1.6.0/jin...ndows-i586.cab (Java Plug-in 1.6.0_15) O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} hxxp://fpdownload2.macromedia.com/ge...sh/swflash.cab (Shockwave Flash Object) O17 - HKLM\System\CCS\Services\Tcpip\Parameters: DhcpNameServer = 192.168.178.1 O18 - Protocol\Handler\grooveLocalGWS {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Programme\Microsoft Office\Office12\GrooveSystemServices.dll (Microsoft Corporation) O18 - Protocol\Handler\ms-help {314111c7-a502-11d2-bbca-00c04f8ec294} - C:\Programme\Common Files\microsoft shared\Help\hxds.dll (Microsoft Corporation) O18 - Protocol\Handler\skype4com {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Programme\Common Files\Skype\Skype4COM.dll (Skype Technologies) O18 - Protocol\Filter\text/xml {807563E5-5146-11D5-A672-00B0D022E945} - C:\Programme\Common Files\microsoft shared\OFFICE12\MSOXMLMF.DLL (Microsoft Corporation) O20 - HKLM Winlogon: Shell - (explorer.exe) - C:\Windows\explorer.exe (Microsoft Corporation) O20 - Winlogon\Notify\igfxcui: DllName - igfxdev.dll - C:\Windows\System32\igfxdev.dll (Intel Corporation) O28 - HKLM ShellExecuteHooks: {B5A7F190-DDA6-4420-B3BA-52453494E6CD} - C:\Programme\Microsoft Office\Office12\GrooveShellExtensions.dll (Microsoft Corporation) O32 - HKLM CDRom: AutoRun - 1 O32 - AutoRun File - [2006.09.18 23:43:36 | 000,000,024 | ---- | M] () - C:\autoexec.bat -- [ NTFS ] O33 - MountPoints2\{4d301273-5ea3-11df-a797-00037a9b6493}\Shell - "" = AutoRun O33 - MountPoints2\{4d301273-5ea3-11df-a797-00037a9b6493}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found O33 - MountPoints2\{4d3012d1-5ea3-11df-a797-00037a9b6493}\Shell - "" = AutoRun O33 - MountPoints2\{4d3012d1-5ea3-11df-a797-00037a9b6493}\Shell\AutoRun\command - "" = G:\AutoRun.exe -- File not found O33 - MountPoints2\{8ec359b1-5112-11df-8fbd-00037a9b6493}\Shell\AutoRun\command - "" = GORDANA/lakicka.exe O33 - MountPoints2\{8ec359b1-5112-11df-8fbd-00037a9b6493}\Shell\open\command - "" = GORDANA/lakicka.exe O33 - MountPoints2\{cb0f48e4-304e-11de-81c3-00238b42cebd}\Shell - "" = AutoRun O33 - MountPoints2\{cb0f48e4-304e-11de-81c3-00238b42cebd}\Shell\AutoRun\command - "" = D:\Launch.exe -- File not found O34 - HKLM BootExecute: (autocheck autochk *) - File not found O35 - HKLM\..comfile [open] -- "%1" %* O35 - HKLM\..exefile [open] -- "%1" %* O36 - AppCertDlls: icachone - (C:\Windows\system32\Complder.dll) - C:\Windows\System32\Complder.dll () O37 - HKLM\...com [@ = comfile] -- "%1" %* O37 - HKLM\...exe [@ = exefile] -- "%1" %* ========== Files/Folders - Created Within 90 Days ========== [2010.09.12 17:32:57 | 000,388,608 | ---- | C] (Trend Micro Inc.) -- C:\Users\Sawdust\Desktop\HiJackThis204.exe [2010.09.12 17:23:01 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\AppData\Roaming\Malwarebytes [2010.09.12 17:22:55 | 000,038,224 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbamswissarmy.sys [2010.09.12 17:22:53 | 000,000,000 | ---D | C] -- C:\ProgramData\Malwarebytes [2010.09.12 17:22:52 | 000,020,952 | ---- | C] (Malwarebytes Corporation) -- C:\Windows\System32\drivers\mbam.sys [2010.09.12 17:22:52 | 000,000,000 | ---D | C] -- C:\Programme\Malwarebytes' Anti-Malware [2010.09.12 17:18:23 | 000,576,000 | ---- | C] (OldTimer Tools) -- C:\Users\Sawdust\Desktop\OTL.exe [2010.09.12 17:15:28 | 006,153,648 | ---- | C] (Malwarebytes Corporation ) -- C:\Users\Sawdust\Desktop\mbam-setup.exe [2010.09.09 19:59:40 | 000,011,776 | ---- | C] (Creative Technology Limited) -- C:\Windows\INRES.DLL [2010.09.09 19:59:40 | 000,000,000 | ---D | C] -- C:\Windows\System32\Data [2010.09.01 11:48:31 | 000,000,000 | ---D | C] -- C:\Programme\TransMac [2010.09.01 11:48:17 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\Desktop\tranmak_7.5 [2010.08.26 11:12:37 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\AppData\Roaming\Trillium Lane [2010.08.26 11:06:18 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\AppData\Roaming\PACE Anti-Piracy [2010.08.26 11:06:18 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\AppData\Local\PACE Anti-Piracy [2010.08.26 11:06:18 | 000,000,000 | ---D | C] -- C:\Programme\Common Files\PACE Anti-Piracy [2010.08.26 11:06:18 | 000,000,000 | ---D | C] -- C:\ProgramData\PACE Anti-Piracy [2010.08.26 10:49:15 | 000,000,000 | ---D | C] -- C:\Programme\InterLok [2010.08.26 10:43:40 | 000,630,784 | ---- | C] (PACE Anti-Piracy) -- C:\Windows\System32\ilinet.dll [2010.08.26 10:43:37 | 000,097,808 | ---- | C] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Windows\System32\drivers\Dalwdm.sys [2010.08.26 10:43:37 | 000,016,400 | ---- | C] (Digidesign, A Division of Avid Technology, Inc.) -- C:\Windows\System32\drivers\diginet.sys [2010.08.17 14:39:17 | 000,000,000 | ---D | C] -- C:\Users\Sawdust\Desktop\RPA3 [2010.08.17 11:52:02 | 000,000,000 | ---D | C] -- C:\ProgramData\Syncrosoft [2004.12.13 08:57:36 | 000,065,536 | ---- | C] ( ) -- C:\Windows\System32\RCCOLLAB.DLL ========== Files - Modified Within 90 Days ========== [2010.09.12 17:39:39 | 000,585,504 | ---- | M] () -- C:\Windows\System32\drivers\ukwbl.sys [2010.09.12 17:39:34 | 002,883,584 | -HS- | M] () -- C:\Users\Sawdust\NTUSER.DAT [2010.09.12 17:32:57 | 000,388,608 | ---- | M] (Trend Micro Inc.) -- C:\Users\Sawdust\Desktop\HiJackThis204.exe [2010.09.12 17:30:59 | 000,000,069 | ---- | M] () -- C:\Windows\NeroDigital.ini [2010.09.12 17:22:57 | 000,000,823 | ---- | M] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.09.12 17:18:24 | 000,576,000 | ---- | M] (OldTimer Tools) -- C:\Users\Sawdust\Desktop\OTL.exe [2010.09.12 17:15:54 | 006,153,648 | ---- | M] (Malwarebytes Corporation ) -- C:\Users\Sawdust\Desktop\mbam-setup.exe [2010.09.12 17:15:00 | 000,001,096 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineUA.job [2010.09.12 16:54:46 | 000,001,022 | ---- | M] () -- C:\Windows\tasks\Google Software Updater.job [2010.09.12 16:50:47 | 000,001,092 | ---- | M] () -- C:\Windows\tasks\GoogleUpdateTaskMachineCore.job [2010.09.12 16:50:36 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-1.C7483456-A289-439d-8115-601632D005A0 [2010.09.12 16:50:36 | 000,003,216 | -H-- | M] () -- C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-2P-0.C7483456-A289-439d-8115-601632D005A0 [2010.09.12 16:50:32 | 000,000,006 | -H-- | M] () -- C:\Windows\tasks\SA.DAT [2010.09.12 16:50:25 | 000,067,584 | --S- | M] () -- C:\Windows\bootstat.dat [2010.09.12 16:50:22 | 3079,532,544 | -HS- | M] () -- C:\hiberfil.sys [2010.09.12 16:49:01 | 000,524,288 | -HS- | M] () -- C:\Users\Sawdust\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TMContainer00000000000000000001.regt rans-ms [2010.09.12 16:49:01 | 000,065,536 | -HS- | M] () -- C:\Users\Sawdust\NTUSER.DAT{3d4e88f1-6a70-11db-b1ba-d64300c9c793}.TM.blf [2010.09.12 16:49:00 | 006,291,456 | -H-- | M] () -- C:\Users\Sawdust\AppData\Local\IconCache.db [2010.09.11 22:01:18 | 000,000,008 | ---- | M] () -- C:\Windows\System32\mssrv32.vxd [2010.09.11 22:00:42 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei4 [2010.09.11 22:00:42 | 000,000,471 | ---- | M] () -- C:\Windows\System32\Datei2 [2010.09.11 22:00:42 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei3 [2010.09.11 22:00:42 | 000,000,470 | ---- | M] () -- C:\Windows\System32\Datei1 [2010.09.11 22:00:42 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei7 [2010.09.11 22:00:42 | 000,000,469 | ---- | M] () -- C:\Windows\System32\Datei5 [2010.09.11 22:00:42 | 000,000,468 | ---- | M] () -- C:\Windows\System32\Datei0 [2010.09.11 22:00:42 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei9 [2010.09.11 22:00:42 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei8 [2010.09.11 22:00:42 | 000,000,467 | ---- | M] () -- C:\Windows\System32\Datei10 [2010.09.11 22:00:42 | 000,000,465 | ---- | M] () -- C:\Windows\System32\Datei6 [2010.09.11 17:24:52 | 000,046,592 | -H-- | M] () -- C:\Windows\System32\Complder.dll [2010.09.11 17:24:49 | 000,000,024 | ---- | M] () -- C:\Users\Sawdust\AppData\Roaming\apiqfw.dat [2010.09.11 17:23:58 | 000,000,004 | ---- | M] () -- C:\Users\Sawdust\AppData\Roaming\avdrn.dat [2010.09.09 19:59:08 | 000,590,082 | ---- | M] () -- C:\Windows\System32\perfh009.dat [2010.09.09 19:59:07 | 001,427,406 | ---- | M] () -- C:\Windows\System32\PerfStringBackup.INI [2010.09.09 19:59:07 | 000,621,952 | ---- | M] () -- C:\Windows\System32\perfh007.dat [2010.09.09 19:59:07 | 000,123,852 | ---- | M] () -- C:\Windows\System32\perfc007.dat [2010.09.09 19:59:07 | 000,102,094 | ---- | M] () -- C:\Windows\System32\perfc009.dat [2010.09.06 21:56:24 | 312,018,752 | ---- | M] () -- C:\Windows\MEMORY.DMP [2010.09.06 17:51:26 | 000,000,000 | -H-- | M] () -- C:\Windows\System32\drivers\Msft_User_WpdRapi_01_0 0_00.Wdf [2010.09.01 11:48:32 | 000,000,809 | ---- | M] () -- C:\Users\Sawdust\Desktop\TransMac.lnk [2010.09.01 11:47:07 | 001,873,596 | ---- | M] () -- C:\Users\Sawdust\Desktop\tranmak_7.5.rar [2010.08.26 11:35:26 | 000,101,064 | ---- | M] () -- C:\Users\Sawdust\AppData\Local\GDIPFONTCACHEV1.DAT [2010.08.26 11:34:11 | 000,376,632 | ---- | M] () -- C:\Windows\System32\FNTCACHE.DAT [2010.08.23 15:55:07 | 000,000,719 | ---- | M] () -- C:\Users\Public\Desktop\Opera.lnk [2010.08.20 17:40:59 | 000,000,032 | ---- | M] () -- C:\Windows\System32\w3data.vss [2010.08.20 17:40:59 | 000,000,032 | ---- | M] () -- C:\Windows\System32\msvcsv60.dll [2010.08.20 17:40:59 | 000,000,032 | ---- | M] () -- C:\Windows\msocreg32.dat [2010.08.01 21:48:17 | 000,000,013 | ---- | M] () -- C:\Windows\popcinfo.dat [2010.07.28 23:58:29 | 000,077,312 | ---- | M] () -- C:\Users\Sawdust\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini ========== Files Created - No Company Name ========== [2010.09.12 17:22:57 | 000,000,823 | ---- | C] () -- C:\Users\Public\Desktop\Malwarebytes' Anti-Malware.lnk [2010.09.11 17:25:36 | 000,585,504 | ---- | C] () -- C:\Windows\System32\drivers\ukwbl.sys [2010.09.11 17:24:52 | 000,046,592 | -H-- | C] () -- C:\Windows\System32\Complder.dll [2010.09.11 17:24:34 | 000,000,024 | ---- | C] () -- C:\Users\Sawdust\AppData\Roaming\apiqfw.dat [2010.09.11 17:23:58 | 000,000,004 | ---- | C] () -- C:\Users\Sawdust\AppData\Roaming\avdrn.dat [2010.09.06 17:51:26 | 000,000,000 | -H-- | C] () -- C:\Windows\System32\drivers\Msft_User_WpdRapi_01_0 0_00.Wdf [2010.09.01 11:48:32 | 000,000,809 | ---- | C] () -- C:\Users\Sawdust\Desktop\TransMac.lnk [2010.09.01 11:47:07 | 001,873,596 | ---- | C] () -- C:\Users\Sawdust\Desktop\tranmak_7.5.rar [2010.08.26 10:43:38 | 000,217,088 | ---- | C] () -- C:\Windows\System32\qtmlClient.dll [2009.07.30 14:15:43 | 000,000,040 | -HS- | C] () -- C:\ProgramData\.zreglib [2009.07.30 12:33:45 | 000,000,069 | ---- | C] () -- C:\Windows\NeroDigital.ini [2009.07.09 11:28:17 | 000,676,224 | ---- | C] () -- C:\Windows\System32\OGACheckControl.dll [2009.06.11 16:32:08 | 000,000,098 | ---- | C] () -- C:\Windows\WirelessFTP.INI [2009.06.01 11:27:50 | 000,000,000 | ---- | C] () -- C:\Windows\OpPrintServer.INI [2009.05.20 00:17:07 | 000,000,419 | ---- | C] () -- C:\ProgramData\hpzinstall.log [2009.05.17 14:00:18 | 000,001,356 | ---- | C] () -- C:\Users\Sawdust\AppData\Local\d3d9caps.dat [2009.05.07 16:38:09 | 000,000,000 | ---- | C] () -- C:\Windows\tosOBEX.INI [2009.05.01 23:10:53 | 000,765,952 | ---- | C] () -- C:\Windows\System32\xvidcore.dll [2009.05.01 23:10:52 | 000,180,224 | ---- | C] () -- C:\Windows\System32\xvidvfw.dll [2009.04.29 13:39:47 | 000,491,520 | ---- | C] () -- C:\Windows\System32\libencdec.dll [2009.04.23 23:40:50 | 000,000,032 | ---- | C] () -- C:\Windows\System32\msvcsv60.dll [2009.04.23 23:35:26 | 000,721,904 | ---- | C] () -- C:\Windows\System32\drivers\sptd.sys [2009.04.23 23:20:16 | 000,000,000 | ---- | C] () -- C:\Windows\ToDisc.INI [2009.04.23 23:15:46 | 000,905,290 | ---- | C] () -- C:\Windows\System32\libmmd.dll [2009.04.22 21:56:01 | 000,077,312 | ---- | C] () -- C:\Users\Sawdust\AppData\Local\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini [2008.08.26 08:16:28 | 000,000,000 | ---- | C] () -- C:\Windows\NDSTray.INI [2008.08.25 23:09:53 | 000,009,480 | ---- | C] () -- C:\Windows\System32\tosmreg.ini [2008.08.25 23:09:52 | 000,128,113 | ---- | C] () -- C:\Windows\System32\csellang.ini [2008.08.25 23:09:52 | 000,045,056 | ---- | C] () -- C:\Windows\System32\csellang.dll [2008.08.25 23:09:52 | 000,007,671 | ---- | C] () -- C:\Windows\System32\cseltbl.ini [2008.08.25 23:07:26 | 001,060,424 | ---- | C] () -- C:\Windows\System32\WdfCoInstaller01000.dll [2008.08.25 23:04:38 | 000,004,608 | ---- | C] () -- C:\Windows\System32\HdmiCoin.dll [2008.08.25 23:04:36 | 000,147,456 | ---- | C] () -- C:\Windows\System32\igfxCoIn_v1502.dll [2007.12.21 16:46:32 | 000,118,784 | ---- | C] () -- C:\Windows\System32\TosBtAcc.dll [2006.11.02 09:40:29 | 000,013,750 | ---- | C] () -- C:\Windows\System32\pacerprf.ini [2005.07.22 21:30:18 | 000,065,536 | ---- | C] () -- C:\Windows\System32\TosCommAPI.dll ========== LOP Check ========== [2009.10.10 19:49:18 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Antares Design [2009.04.29 13:39:47 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Audio Ease [2009.08.12 17:56:44 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Canneverbe_Limite d [2009.06.01 12:36:43 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Canon [2009.04.23 23:49:19 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\DAEMON Tools Lite [2009.05.25 10:03:01 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\ePaperPress [2010.09.11 17:42:05 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\ICQ [2009.04.22 09:23:33 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Opera [2010.08.26 11:10:51 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\PACE Anti-Piracy [2009.07.19 18:40:24 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Propellerhead Software [2009.04.23 14:40:20 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Steinberg [2009.05.27 15:56:03 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Toshiba [2010.08.26 11:12:37 | 000,000,000 | ---D | M] -- C:\Users\Sawdust\AppData\Roaming\Trillium Lane [2010.09.12 16:49:04 | 000,032,606 | ---- | M] () -- C:\Windows\Tasks\SCHEDLGU.TXT ========== Purity Check ========== ========== Alternate Data Streams ========== @Alternate Data Stream - 24 bytes -> C:\Windows:94B1D287B21E9A83 @Alternate Data Stream - 165 bytes -> C:\ProgramData\TEMPFC5A2B2 @Alternate Data Stream - 142 bytes -> C:\Windows\System32\Xí:ˆácpctlsp.log @Alternate Data Stream - 142 bytes -> C:\Windows\System32\,ð:pctlsp.log @Alternate Data Stream - 142 bytes -> C:\Windows\System32:Nw²�wNwºÔIvØôVpctlsp.log @Alternate Data Stream - 1374 bytes -> C:\ProgramData\Microsoft:7EvseLvdLbmzATL9 @Alternate Data Stream - 1360 bytes -> C:\Users\Sawdust\AppData\Local\Temp:5z6STY7n3QGFJS NMD @Alternate Data Stream - 1292 bytes -> C:\Users\Sawdust\AppData\Local\Temp:v9Sl0NtmUrjY9o GGBo9V @Alternate Data Stream - 1274 bytes -> C:\Program Files\Common Files\microsoft shared:GpKA9BXuOZ6ZBpA1iHHV @Alternate Data Stream - 127 bytes -> C:\ProgramData\TEMP:1CA73D29 @Alternate Data Stream - 1232 bytes -> C:\ProgramData\Microsoft:0gUAintNrt3YwSAP8E7w5IMsL Y7 @Alternate Data Stream - 1223 bytes -> C:\ProgramData\Microsoft:7pkwkb2Frp5TvCGDejtV83i5N @Alternate Data Stream - 1183 bytes -> C:\ProgramData\Microsoft:HOojxnwwQcS8b9ik @Alternate Data Stream - 1177 bytes -> C:\ProgramData\Microsoft:tBjBEaMwUv9y8pAjOFGPcO7Se iL7 < End of report > Hijack This HiJackthis Logfile: Code:
ATTFilter Logfile of Trend Micro HijackThis v2.0.4 Scan saved at 17:33:19, on 12.09.2010 Platform: Windows Vista SP1 (WinNT 6.00.1905) MSIE: Internet Explorer v8.00 (8.00.6001.18828) Boot mode: Normal Running processes: C:\Windows\system32\Dwm.exe C:\Windows\system32\taskeng.exe C:\Program Files\Synaptics\SynTP\SynTPEnh.exe C:\Windows\System32\igfxpers.exe C:\Program Files\Toshiba\ConfigFree\NDSTray.exe C:\Program Files\Toshiba\HDMICtrlMan\HDMICtrlMan.exe C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe C:\Program Files\iTunes\iTunesHelper.exe C:\Program Files\Avira\AntiVir Desktop\avgnt.exe C:\Windows\WindowsMobile\wmdSync.exe C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe C:\Program Files\Skype\Phone\Skype.exe C:\Program Files\ICQ6.5\ICQ.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe C:\Program Files\PreSonus\1394AudioDriver_FirePod\FirePod.exe C:\Program Files\Toshiba\HDMICtrlMan\HCMSoundChanger.exe C:\Program Files\PreSonus\1394AudioDriver_FP10\FP10.exe C:\Users\Sawdust\AppData\Local\Apps\2.0\R84O6XE3.0 5Z\DWG4CRRD.CJB\frit..tion_f8d772dfbb3f7453_0002.0 001_0db5bf169ed5c0c1\fritzbox-usb-fernanschluss.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosA2dp.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHid.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtHsp.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosAVRC.exe c:\Program Files\Toshiba\Bluetooth Toshiba Stack\tosOBEX.exe C:\Program Files\Synaptics\SynTP\SynTPHelper.exe C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtProc.exe C:\Windows\explorer.exe C:\Program Files\Opera\opera.exe C:\program files\avira\antivir desktop\avcenter.exe C:\Users\Sawdust\Desktop\OTL.exe C:\Windows\notepad.exe C:\Windows\notepad.exe C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe C:\Windows\system32\NOTEPAD.EXE C:\Windows\system32\SearchFilterHost.exe C:\Users\Sawdust\Desktop\HiJackThis204.exe C:\Windows\system32\DllHost.exe R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = hxxp://go.microsoft.com/fwlink/?LinkId=54896 R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = O1 - Hosts: ::1 localhost O2 - BHO: Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\5.2.4204.1700\s wg.dll O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide O4 - HKLM\..\Run: [win32dll] C:\Program Files\Advanced Invisible Keylogger\Advanced Invisible Keylogger.exe O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe O4 - HKLM\..\Run: [SmoothView] %ProgramFiles%\Toshiba\SmoothView\SmoothView.exe O4 - HKLM\..\Run: [Persistence] C:\Windows\system32\igfxpers.exe O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Nero\Lib\NeroCheck.exe O4 - HKLM\..\Run: [NDSTray.exe] NDSTray.exe O4 - HKLM\..\Run: [NBKeyScan] "C:\Program Files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe" O4 - HKLM\..\Run: [ITSecMng] %ProgramFiles%\TOSHIBA\Bluetooth Toshiba Stack\ItSecMng.exe /START O4 - HKLM\..\Run: [IgfxTray] C:\Windows\system32\igfxtray.exe O4 - HKLM\..\Run: [HSON] %ProgramFiles%\TOSHIBA\TBS\HSON.exe O4 - HKLM\..\Run: [HotKeysCmds] C:\Windows\system32\hkcmd.exe O4 - HKLM\..\Run: [HDMICtrlMan] C:\Program Files\TOSHIBA\HDMICtrlMan\HDMICtrlMan.exe O4 - HKLM\..\Run: [H2O] C:\Program Files\SyncroSoft\Pos\H2O\cledx.exe O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" O4 - HKLM\..\Run: [cfFncEnabler.exe] cfFncEnabler.exe O4 - HKLM\..\Run: [Camera Assistant Software] "C:\Program Files\Camera Assistant Software for Toshiba\traybar.exe" /start O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe" O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir Desktop\avgnt.exe" /min O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [DigidesignMMERefresh] C:\Program Files\Digidesign\Drivers\MMERefresh.exe O4 - HKLM\..\Run: [Windows Mobile-based device management] %windir%\WindowsMobile\wmdSync.exe O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent O4 - HKCU\..\Run: [IndxStoreSvr_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe" ASO-616B5711-6DAE-4795-A05F-39A1E5104020 O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe" -autorun O4 - HKCU\..\Run: [AVMUSBFernanschluss] C:\Users\Sawdust\AppData\Local\Apps\2.0\R84O6XE3.0 5Z\DWG4CRRD.CJB\frit..tion_f8d772dfbb3f7453_0002.0 001_0db5bf169ed5c0c1\AVMAutoStart.exe O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized O4 - HKCU\..\Run: [ICQ] "C:\Program Files\ICQ6.5\ICQ.exe" silent O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKALER DIENST') O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKALER DIENST') O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETZWERKDIENST') O4 - .DEFAULT User Startup: TRDCReminder.lnk = C:\Program Files\Toshiba\TRDCReminder\TRDCReminder.exe (User 'Default user') O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe O4 - Startup: monmvr32.exe O4 - Global Startup: Bluetooth Manager.lnk = ? O4 - Global Startup: FirePod Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FirePod\FirePod.exe O4 - Global Startup: FP10 Control Panel.lnk = C:\Program Files\PreSonus\1394AudioDriver_FP10\FP10.exe O8 - Extra context menu item: Nach Microsoft E&xel exportieren - res://C:\PROGRA~1\MICROS~1\Office12\EXCEL.EXE/3000 O9 - Extra button: An OneNote senden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra 'Tools' menuitem: An OneNote s&enden - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~1\Office12\ONBttnIE.dll O9 - Extra button: eBay - Der weltweite Online Marktplatz - {76577871-04EC-495E-A12B-91F7C3600AFA} - hxxp://rover.ebay.com/rover/1/707-44556-9400-3/4 (file missing) O9 - Extra button: Amazon.de - {8A918C1D-E123-4E36-B562-5C1519E434CE} - hxxp://www.amazon.de/exec/obidos/red...k-21&site=home (file missing) O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\Office12\REFIEBAR.DLL O9 - Extra button: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O9 - Extra 'Tools' menuitem: ICQ6 - {E59EB121-F339-4851-A3BA-FE49C35617C2} - C:\Program Files\ICQ6.5\ICQ.exe O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - hxxp://fpdownload2.macromedia.com/ge...sh/swflash.cab O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\Program Files\Microsoft Office\Office12\GrooveSystemServices.dll O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\Windows\system32\browseui.dll O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe O23 - Service: Avira AntiVir Planer (AntiVirSchedulerService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\sched.exe O23 - Service: Avira AntiVir Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir Desktop\avguard.exe O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe O23 - Service: Digidesign MME Refresh Service (DigiRefresh) - Unknown owner - C:\Program Files\Digidesign\Drivers\MMERefresh.exe (file missing) O23 - Service: Google Update Service (gupdate1ca28ce9bf43f90) (gupdate1ca28ce9bf43f90) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe O23 - Service: Google Software Updater (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe O23 - Service: iPod-Dienst (iPod Service) - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMSAccessU - Unknown owner - C:\Program Files\CDBurnerXP\NMSAccessU.exe O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro Flash Memory Card Driver\o2flash.exe O23 - Service: Notebook Performance Tuning Service (TempoMonitoringService) - Toshiba Europe GmbH - C:\Program Files\Toshiba TEMPRO\TempoSVC.exe O23 - Service: TOSHIBA Navi Support Service (TNaviSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\TOSHIBA DVD PLAYER\TNaviSrv.exe O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\Windows\system32\TODDSrv.exe O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\Toshiba\Power Saver\TosCoSrv.exe O23 - Service: TOSHIBA Bluetooth Service - TOSHIBA CORPORATION - c:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtSrv.exe O23 - Service: TOSHIBA SMART Log Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\SMARTLogService\TosIPCSrv.exe O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe -- End of file - 10619 bytes Und Malwarebytes Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4600 Windows 6.0.6001 Service Pack 1 Internet Explorer 8.0.6001.18828 12.09.2010 17:30:44 mbam-log-2010-09-12 (17-30-44).txt Art des Suchlaufs: Quick-Scan Durchsuchte Objekte: 145224 Laufzeit: 6 Minute(n), 36 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 1 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 4 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: C:\Windows\System32\Complder.dll (Trojan.PWS.Gen) -> No action taken. Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Windows\System32\Complder.dll (Trojan.PWS.Gen) -> No action taken. C:\Users\Sawdust\AppData\Roaming\Microsoft\Windows \Start Menu\Programs\Startup\monmvr32.exe (Trojan.Downloader) -> No action taken. C:\Windows\system32\Drivers\ukwbl.sys (Rootkit.Bubnix) -> No action taken. C:\Users\Sawdust\AppData\Roaming\avdrn.dat (Malware.Trace) -> No action taken. War es das mit meinem System, oder kann man da noch etwas machen? Ich bin auf die Programme des Rechners sehr angewiesen! =( Danke an alle die mir helfen, ich weiss das sehr sehr zu schätzen! LG |
|
13.09.2010, 13:18
| #2 | |
| /// Winkelfunktion /// TB-Süch-Tiger™   | Und nochjemand mit Rootkit RKIT/Agent.biiu :(Zitat:
 Bitte routinemäßig einen Vollscan mit Malwarebytes machen und Log posten. Denk daran, dass Malwarebytes vor jedem Scan manuell aktualisiert werden muss!
__________________ |
|
14.09.2010, 18:07
| #3 |
| | Und nochjemand mit Rootkit RKIT/Agent.biiu :( Ok hier das Log vom Vollscan:
__________________Malwarebytes' Anti-Malware 1.46 www.malwarebytes.org Datenbank Version: 4608 Windows 6.0.6001 Service Pack 1 Internet Explorer 8.0.6001.18828 14.09.2010 19:03:54 mbam-log-2010-09-14 (19-03-54).txt Art des Suchlaufs: Vollständiger Suchlauf (C:\|E:\|) Durchsuchte Objekte: 351364 Laufzeit: 2 Stunde(n), 43 Minute(n), 58 Sekunde(n) Infizierte Speicherprozesse: 0 Infizierte Speichermodule: 0 Infizierte Registrierungsschlüssel: 0 Infizierte Registrierungswerte: 0 Infizierte Dateiobjekte der Registrierung: 0 Infizierte Verzeichnisse: 0 Infizierte Dateien: 2 Infizierte Speicherprozesse: (Keine bösartigen Objekte gefunden) Infizierte Speichermodule: (Keine bösartigen Objekte gefunden) Infizierte Registrierungsschlüssel: (Keine bösartigen Objekte gefunden) Infizierte Registrierungswerte: (Keine bösartigen Objekte gefunden) Infizierte Dateiobjekte der Registrierung: (Keine bösartigen Objekte gefunden) Infizierte Verzeichnisse: (Keine bösartigen Objekte gefunden) Infizierte Dateien: C:\Users\Sawdust\AppData\Local\Opera\Opera\cache\g_001A\opr03L27.tmp (Trojan.Dropper.PGen) -> No action taken. C:\Windows\System32\drivers\ukwbl.sys (Rootkit.Bubnix) -> No action taken. Beim ersten Scan hatte ich die Fehler behoben, drum sind es jetzt nurnoch die beiden. Hoffe ihr könnt mir helfen! =( |
|
14.09.2010, 18:14
| #4 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Und nochjemand mit Rootkit RKIT/Agent.biiu :( Hast die Funde entfernt?
__________________ Logfiles bitte immer in CODE-Tags posten  |
|
14.09.2010, 18:18
| #5 |
| | Und nochjemand mit Rootkit RKIT/Agent.biiu :( Nein dieses mal nicht. Der Rootkit lässt sich scheinbar so nicht entfernen, da er beim ersten Suchlauf auch mit da war. EDIT: Ich hab das Prog aber noch offen und kann sie entfernen wenn ich das soll. Geändert von Sawdust (14.09.2010 um 18:28 Uhr) |
|
14.09.2010, 18:33
| #6 |
| /// Winkelfunktion /// TB-Süch-Tiger™ | Und nochjemand mit Rootkit RKIT/Agent.biiu :( Ja bitte immer alle Funde mit Malwarebytes löschen. Mach danach ein neues OTL-Log (OTL.txt)
__________________ --> Und nochjemand mit Rootkit RKIT/Agent.biiu :( |
FC5A2B2 deleted successfully.
Linear-Darstellung
